[Cryptography] NSA’s FAQs Demystify the Demise of Suite B

Jerry Leichter leichter at lrw.com
Mon Feb 15 23:17:41 EST 2016 

> A careful reading will suggest two things.  Firstly, the NSA is now removing choice where it can - one only curve, one only SHA, one only AES.  It's also looking askance at RSA/DH family, and askance at numbers other than 3072.
That's one possible reading.  There weren't any real choices before this update:  There were two levels (Secret and below; Top Secret) which differed in apparent security and in the cost they imposed on implementations.  As the document itself says, these days, the performance of hardware has gotten good enough that they really don't need the old Secret level - so they just moved everything up to what had been the old Top Secret level.

There was a nominal choice before - Secret (or below) stuff *could* be sent using the TS-level values - but in practice this was unlikely to be done because of interoperability constraints:  Implementations that limited themselves to S or below would typically not implement the TS algorithms at all.

The choice of RSA vs. ECC hasn't really gone away; in fact, they've left it more open than earlier versions, which pushed for evolution toward ECC.

From what we've seen NSA *never* seems to have been big on offering choices.  They build systems for particular distinct use cases - one per use case.  Of course, given the nature of the nation-state spying game, they have to be prepared for the possibility of large-scale compromises, which have happened many times over the years.  They appear to do this by being in a position to completely replace a system when necessary.  Since, large as they are, the total  number of units they have fielded is small compared with, say, cell phones; and they resources they have to push a change is immensely larger on a per-unit basis; they can live with this much better than the open world can.  (It is interesting that they don't seem concerned about forward security.  You'd think that would be very valuable when doing damage assessment and control.)

                                                        -- Jerry

More information about the cryptography mailing list